Changeset to fix various use-after-free bugs, among them CVE-2010-0629. Index: src/kdc/network.c =================================================================== --- src/kdc/network.c (revision 22426) +++ src/kdc/network.c (revision 22427) @@ -775,10 +775,8 @@ return; } if (cc != response->length) { - krb5_free_data(kdc_context, response); com_err(prog, 0, "short reply write %d vs %d\n", response->length, cc); - return; } krb5_free_data(kdc_context, response); return; Index: src/kadmin/server/server_stubs.c =================================================================== --- src/kadmin/server/server_stubs.c (revision 22426) +++ src/kadmin/server/server_stubs.c (revision 22427) @@ -1628,7 +1628,7 @@ } if (ret.code != 0) - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + errmsg = krb5_get_error_message(NULL, ret.code); else errmsg = "success"; Index: src/lib/krb5/krb/mk_cred.c =================================================================== --- src/lib/krb5/krb/mk_cred.c (revision 22426) +++ src/lib/krb5/krb/mk_cred.c (revision 22427) @@ -176,8 +176,8 @@ if ((pcred->tickets = (krb5_ticket **)malloc(sizeof(krb5_ticket *) * (ncred + 1))) == NULL) { - retval = ENOMEM; free(pcred); + return ENOMEM; } memset(pcred->tickets, 0, sizeof(krb5_ticket *) * (ncred +1)); Index: src/slave/kprop.c =================================================================== --- src/slave/kprop.c (revision 22426) +++ src/slave/kprop.c (revision 22427) @@ -1,7 +1,7 @@ /* * slave/kprop.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2008 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -505,12 +505,12 @@ free(data_ok_fn); exit(1); } - free(data_ok_fn); if (stbuf.st_mtime > stbuf_ok.st_mtime) { com_err(progname, 0, "'%s' more recent than '%s'.", data_fn, data_ok_fn); exit(1); } + free(data_ok_fn); *size = stbuf.st_size; return(fd); }